Link List

Sponsored by..

Friday, 28 November 2008

A colourful lottery scam featuring Bill Gates. The pitch is that the Bill Gates Foundation is running a lottery and you have won €400,000 which for some reason will be paid through a bank in the Ivory Coast. It is all written in fairly simple French, and it isn't difficult to see that the pitch is basically the same as in English.

Unusually, the scam comes with a PDF attachment that gives more details. On the principle that unsolicited PDF files can often come with nasty surprises, here is a JPG version for you to enjoy (click to enlarge):

Wednesday, 26 November 2008

Nice for them to label this as "spam". SINOCHEM is a legitimate and huge Chinese chemicals company, but they did not send this email. Why would SINOCHEM need to use a Yahoo! email account anyway? Liu Deshu really is the president of SINOCHEM though, it's a case of the scammers trying to use a real name to make it more convincing.

Tuesday, 25 November 2008

BobBear.co.uk is a comprehensive resource covering money laundering and parcel reshipping scams. Recently it has been under a DDOS attack from the Bad Guys. They have followed this up with a Joe Job,with a series of offensive email messages apparently "from" Bob Harrison who runs BobBear. This has happened before.

The messages have a faked "from" addresses @tiscali.co.uk and @gmail.com account, presumably those belonging to Bob Harrison in an attempt to get his mailboxes shut down.

Sample subjects are:

Fukkah

Bitched

Butthole

Penises

Mutha Fuker

Suck

Polack

Sample body text:

your son sexy nigger boob knobz knobs

your father pusse phuker

your mother asholes retard

your son cnts cock head bitches knobs

our daughter mutha fucker phuc

your dad phuck sluts

your son cocksucker fuker

There are probably hundreds of hosts sending out this mail, but I have seen 128.130.173.77 and 65.98.57.10 repeatedly.

Don't bother complaining to Tiscali or Gmail about this, BobBear is not sending out the spam. Instead, use a reporting service such as SpamCop to send a complaint back to whoever manages the sending machine.

Monday, 24 November 2008

Sometimes it is hard to see what the scam is with some of the job offers, except that undoubtedly it IS a scam. This job offer from the ficticious "Ran-De-Vou Co." offers a proofreading job which is kind of unusual at first glance.

Subject: Successful Positions Available

Dear Job Seeker,

We are glad to inform you about new vacancy opening in the area of proofreading atRan-De-Vou Co.

Part time job Description:

We provide you with business messages which require revision and your task is tomake necessarycorrections as an english speaking person, and e-mail them back to us.

Payment:

There is no fixed salary for this vacancy. We offer $5.00 per 1Kb of the text whichyou revise (the workload is about 4-5 Kb a day).The salary is paid once a month, and begins with the date of the first revision youmake.(Example: by editing 5Kb of texts a day you earn $1000.00 a month)

Requirements:

-Applicant must be a US citizen-Applicant must be of a legal age: 21+-Applicant should be skilled in computer usage, and American English

Feel free to submit the application form which follows only to e-mail:ran.devou.gr@gmail.com__________FULL NAME: HOME ADDRESS:CITY, STATE, ZIP CODE:Phone number (home or cell, but SHOULD BE available any day time):E-MAIL:AGE:OCCUPATION:EDUCATION:----------

You will receive a response from us in 24 hours.

If you have any questions please reply only at our e-mail: ran.devou.gr@gmail.com

Sincerely, Ran-De-Vou Co. Team

Unlike the usual money mule and parcel reshipping scam jobs, this really does seem to be asking for a proofreader. And given the poor quality of English seen in some of these scams, it is easy to understand why. In fact, there is a whole underground fake career network aimed at recruiting virtual office staff for these bogus outfits. Unfortunately for these "employees", they are usually the people that end up having to deal with the police when the scam gets busted.

You could make 5,000 pounds online in a week without delaying your present job...

Hit REPLY for more details..

NOTICE: IF YOU ARE SERIOUS TO GET EMPLOYED ONLINE, YOU MUST REGULARLY CHECK YOUR JUNK OR/ BULK OR/ SPAM FOLDERS IN OTHER NOT TO LOSE SOME OF OUR MESSAGES.

Although it appears to be "from" louvretec.co.nz, hitting "reply" comes up with a completely different email address of louvretecproductsltd.n.z@emailaccount.com. The scammers are hoping that no-one will notice this. (In case you are wondering why it is different, it's an annoying feature called the "reply to" address).

£5000 a week sounds good.. after all, that's over a quarter of a million quid a year. Yeah right..

One interesting thing with this spam is the bit at the bottom. The scammers realise that spam filters tend to remove junk like this, so they are asking you to check your junk messages for job offers. Not a good idea.

Originating IP address is 78.159.123.169, which claims to be in the UK and the message was sent to an email address stolen from a UK online retailer.

Wednesday, 19 November 2008

The ISC have given some good guidance on SQL injection mitigation, in case your server has been hit by Asprox or something similar. It's complicated stuff, and if you don't understand it, then it is definitely worth hiring a professional to fix your database.

Tuesday, 18 November 2008

This might be a good deal for cash-strapped consumers, but a bad deal for other anti-virus companies.

Anyway, "Microsoft Morro" is the name given to this idea of giving away free anti-virus software to consumers. I will say that Microsoft's malware scanning technology is actually pretty darned good, but having a security monoculture is not a good idea.

I think perhaps McAfee, Symantec and some other AV vendors might be lawyering up on this one..

Friday, 14 November 2008

If there was any doubt the McColo was behind a vast majority of the world spam, then I think the figures speak for themselves. We're seeing a 69% drop in spam volumes day-on-day (although we still only have one day's worth of post-McCole data). It will be interesting to see how long this takes to recover back to "normal" levels of awfulness.

Monday, 10 November 2008

For some reason, I am seeing a big upswing in Canadian spam at the moment. This one is a very misleading offer entitled "ANNUAL WEBSITE SEARCH ENGINE SUBMISSION" for a domain that I have parked and have never used. It is only when you get near the bottom that the message carries a disclaimer "Note that THIS IS NOT A BILL. This is a solicitation. You are under no obligation to pay the amounts stated unless you accept this offer".

THIS NOTICE IS A SOLICITATION AND A RECEIPT OF PAYMENT WILL CONFIRM YOUR ANNUAL SUBMISSION*100% SATISFACTION IS GUARANTEED OR YOUR MONEY BACK

Please select the number of years you would like to signup for[ ] 10 Years .......... $295 (Best Value, Most Recommended!)[ ] 5 Years .......... $185[ ] 2 Years .......... $99[ ] 1 Years .......... $75If you have other domains you may list them below (please send a separate check for each domain and write your domain name on the memo section of the check)Other domain(s) __________________ , __________________ , __________________

Total $ _______

________________________________Signature

________________________________Date

Payment by Check or Money OrderPrint and mail a copy of this order form along with a check or money order to the address listed below:Domain Listings Center8171 Yonge St. Suite# 149Thornhill, ON L3T 2C6Canada

Please do not forget to include a copy of this order form along with your payment!

By accepting this offer, you agree not to hold DLC liable for any part. Note that THIS IS NOT A BILL. This is a solicitation.You are under no obligation to pay the amounts stated unless you accept this offer. The information in this letter contains confidential and/or legally privileged information from the notification processing department of the Domain Listing Services Inc.This information is intended only for the use of the individual(s) named above. If you do not wish to receive further updates from DLC send an email to dolistscent3272@operamail.com to unsubscribe.If you are not the intended recipient, you are hereby notified that disclosure, copying, distribution or the taking of any action in reliance on the contents for this letter is strictly prohibited.

* 100% satisfaction guaranteed, you may request a refund within 30 days if your are not satisfied with our services.

Saturday, 8 November 2008

This is a generic sort of money mule scam email, of interest because it has the domain name melsongroup.net registered to handle the email. This seems to be one of a series hosted on Yahoo! There are lots of companies called SGP, none of them is involved in this.

Subject: Join the team of winners!

SGP is an integrated financial group. We offer to our clients afull range of financial services.Our clients have all the possibilities to find solutions to allfinancial problems of financial market - from bank services andinsurance to assets management and complex operations on stockmarkets, from simple consumer goods to complex programs of financialmanagement of large corporations, institutional and private investors.SGP - is a large participant of the financial market, leader in manysegments. However leadership is not a goal for us, but a way to realizethe mission of the company - providing for long-term increase in incomeof our clients and shareholders.Considering our development we need reliable and ambitious young peopleon a position of Transfer Manager.The duties of the Manager include processing of money transfers arrivingto his accounts from our clients. After all the required procedures ofexecuting documents of transactions you have to transfer the money toaccounts specified by our operators. All you need is free time (3 ormore hours a day), skills of team working and reliability. The wage atthe initial stage will be 5000$ of the total month turnover.Requirements:- Higher education;- Age - 21 and more;- Confident PC user (Microsoft Office), mail programs and Internet- Foreign language (English is preferred)We offer:- Constant training- Possibility of career and self-development- Probation period and work in a dynamic and friendly atmosphere and team- Competitive wage- Bonuses according to job resultsIf you have become interested in this position please send your CV tojacinthe@melsongroup.net.

Thursday, 6 November 2008

JavaRealm Software (javarealm.com) is a wholly legitimate software development company from the Ukraine. This fraudulent job offer uses the "JavaRealm" name and the name "Sergey Skugarev" which does appear to be similar to an employee of JavaRealm who is not involved in this scam.

My company based in Ukraine. We've earned ourselves a reputation of a reliable and trustworthy partner working successfully with a number of West European companies and providing them with reliable software development services in financial and media sectors. Unfortunately we are currently facing some difficulties with receiving payments for our services. It usually takes us 10-30 days to receive a payment and clearing from your country and such delays are harmful to our business. We do not have so much time to accept every wire transfer.

That's why we are currently looking for partners in your country to help us accept and process these payments faster. If you are looking for a chance to make an additional profit you can become our representative in your country. As our representative you will receive 8% of every deal we conduct. Your job will be accepting funds in the form of wire transfers and forwarding them to us. It is not a full-time job, but rather a very convenient and fast way to receive additional income. We also consider opening an office in your country in the nearest future and you will then have certain privileges should you decide to apply for a full-time job. Please if you are interested in transacting business with us we will be very glad.

1. Your Full Name as it appears on your resume. 2. Education. 3. Your Contact Address. 4. Telephone/Fax number. 5. Your present Occupation and Position currently held. 6. Your Age

Please respond and we will provide you with additional details on how you can become our representative. Joining us and starting business today will cost you nothing and you will be able to earn a bit of extra money fast and easy. Should you have any questions, please feel free to contact us with all your questions.

Thank you,Sergey Skugarev ,JavaRealm Software

This is a straightforward money mule scam. We have seen this type of scam targeting Ukranian companies before, here and here. Avoid this one at all costs.

We would like to inform you about recent change in Lloyds TSB terms and conditions of banking services. Lloyds TSB has updated terms and conditions for both business and personal customers. Each customer should read and accept current terms and conditions.Failure to accept new terms and conditions may lead to blocking of current services. Such as loans, credit cards, online banking, savings accounts, bill payments. Take a moment to read through new terms and conditions. There are two convenient ways to request updated terms and conditions. You can request them by mail or use online banking to confirm the new terms of service. Please follow the link below to review and confirm updated terms and conditions.www.lloydstsb.com/terms

Thank you for banking with the most trusted UK bank,Lloyds TSB Customer Service Team

We know that this is a phish because a) it was sent to a harvested address and b) Lloyds TSB don't send out emails like this. So a typical next step would be to check the source code to find where the phishing site is.

So the only hypertext link in the document is to http://www.lloydstsb.com which is the real Lloyds TSB bank. A closer look shows an attempted image load from http://lloydstlb.com/images/logo_lloydstsb.gif which is the phishing site hosted on a botnet. The domain is registered to BIZCN.COM who seem to have taken over this sort of business from Estdomains.

The fake site looks pretty convincing.. even if no-one will click through to it.

The login screen looks authentic too.

The next step looks exactly like the genuine login. The "memorable information" prompt asks for 3 letters from a longer passphrase, specifically letters 1, 3 and 5.

But guess what, when you enter the information it tells you that you did it incorrectly and asks for letters 2, 4 and 6 instead. So now they have letters 1-6.

Blah blah blah..

But what's this at the bottom? Yup, more characters from the memorable phrase are needed..

Finally, a confirmation:So, like many modern phishing sites the actually web site is very credible looking, even the domain name looks reasonable if you only glance at it. Fortunately for the intended victims, the idiots have messed up the spam and.. this time at least.. nobody will get this far.

Please take your time and read about this genuine offer, job position.Make moneyspending only few hours a day, if you are located in Australia! This position eithercan replace your current job, or can be as an extra income for you. Denmarksuccessful company - Apple Sales Group brought this opportunity for you.Advertisement itself is brought to you via Google ads (Paid advertisement, assigninge-mail business account). The most convenient and smart position for anybody who hascouple hours a day, Monday-Friday. You will be able to make 1400+ AUD a week! It'seither - you do want to participate in this, or - you do not, that's what makes it agenuine offer and worth reading and finding out more. If you meet requirements - donot hesitate to receive full information:

1400 AUD? You said $1200 a moment ago. Are we talking US$ or AU$? At least I know it's "Genuine" because you said so twice. Shame about the really bad English, all the Danish people I know speak English very well.

*You are 18+ y/o*You are Reliable and Enthusiastic person.*You Have 2-3 Hours a Day of Your Spare/Free Time, Monday-Friday(Saturday).*You Are Located in United Kingdom/Ireland.*You Have Access to Internet 2-3 Hours A Day, Monday-Friday(Saturday).

Didn't you just say Australia? These are different countries, you know.

To receive full information reply only to e-mail: apple.swed404@gmail.comwith subject "More Information" and one of our representatives will assist youshortly.Thank you for your interest and Good Luck!

Best Regards,App LLC Group.

Apple.Swed404? Sweden? I thought you said you were based in Denmark? App LLC? That wasn't the company name you gave earlier.

Originating IP is 95.57.7.182 in Kazakhstan. That country has featured in these fake job offers before (here and here).

Colorado Business Bank has registered our secure Web sites with VeriSign and use VeriSign Server IDs.VeriSign Server IDs enable you to verify the authenticity of our secure Web site and to communicate with our Web site securely via SSL (Secure Sockets Layer) encryption.

Proceed to customer service department>>

Sincerely, Everett Torres.Copyright - Colorado Business Bank, a part of COBIZ BANK.